criticalCVE-2025-58146

XAPI Database Input Validation Denial of Service Vulnerability

There are multiple issues. 1. Updates to the XAPI database sanitise input strings, but try generating the notification using the unsanitised input. This causes the database's event thread to terminate and cease further processing. 2. XAPI's UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI uses libraries which conform to the stricter v3.1 of the Unicode spec. This causes some strings to be accepted as valid UTF-8 by XAPI, but rejected by other libraries in use. Notably, such strings can be entered into the database, after which the database can no longer be loaded. 3. There is no input sanitisation for Map/Set updates on objects in the XAPI database.

ProductXAPI
CVSS9.4
EPSSNot scored yet
UpdatedJuly 9, 2026

Quick answer

Xen Project XAPI should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Affected XAPI versions according to NVD

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

XAPI is affected by multiple input validation issues involving database updates, UTF-8 handling, and Map or Set updates. Apply the vendor XAPI security update and validate that the XAPI database can load and process events normally. Prioritize pools where lower-privilege administrators or automation can write metadata into the XAPI database.

  1. Inventory XAPI-based pools and identify automation or delegated administrators that can update object metadata.
  2. Apply the vendor XAPI update that fixes CVE-2025-58146.
  3. Back up the XAPI database and pool metadata before remediation.
  4. Review recent object updates, Map or Set metadata changes, and unusual UTF-8 strings in pool data.
  5. Monitor XAPI event processing and database load behavior for failures or terminated event threads.
  6. Restrict metadata write permissions to trusted administrators until all hosts are patched.
  7. Restore from a trusted backup if malformed database content prevents normal XAPI operation.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm all XAPI hosts include the fix for CVE-2025-58146.
  • Validate the XAPI database loads cleanly and event processing continues after malformed input tests.
  • Review XAPI logs for event thread termination, database load failures, or invalid UTF-8 errors.
  • Test normal pool, host, VM, storage, and metadata workflows after remediation.
  • Run a Fixnx scan and confirm no public virtualization management endpoint is exposed.

Related categories

Trusted references

FAQ

What is affected by CVE-2025-58146?

Xen Project XAPI versions listed as affected should be reviewed: Affected XAPI versions according to NVD.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.